Generally speaking owners and admins are the ones that are actively using the console, while a user with the role of user uses the resources that the console manages.
Admin and Owners are the ones that can edit permissions.
The main difference between an owner and an admin is that the owner can change the name of the organization and handle the billing.
An owner can also upgrade/downgrade any user to any permission level.
Both owners and admins can see and edit all of the enclaves, regardless of whether they are members of the enclave or not.
Since the owner is the only one with top level access, an organization must always have at least one owner.
An admin can edit user permissions with the exception of elevating users to owners.
Like the owner an admin can create, see, edit and remove all enclaves, regardless of whether they are members of the enclave.
A user only sees the enclaves they are members of and cannot take any action in administrating them.
In reality there is very little reason for them to even log in to the console. They are simply meant to connect through one of the clients and use the resources to enable secure communications and internet usage for their devices.
To be clear: A user cannot add enclaves, remove enclaves, see enclaves they are not members of, edit the resources an enclave has, do any billing nor edit any permissions.
Per enclave permissions are so that you can elevate the permissions of organization users per enclave. Elevating the permissions of an organization owner/admin on an enclave would really not accomplish anything since they already have
full permissions on the organizational level, which includes all enclaves. But hey, you do you.
Can invite/remove users from the enclave.
Can edit users permissions on the enclave.
Can rename/delete the enclave.
Cannot edit any organizational settings or billing, remember this is an enclave permission.
Can connect to the enclave.
Can connect to the enclave, but has no other permissions.
Let's say the organization Aperture Science Inc. wants an enclave for one of their science labs. They create an enclave named portal-device-lab, add an employee from the science lab to the enclave and maker her an admin on the enclave. She can now add/remove people on the enclave (portal-device-lab), edit the resources of that enclave and do pretty much anything an owner/admin of the organization can do to all enclaves, but only on the portal-device-lab enclave.
Note: An enclave admin is also allowed to delete/rename the entire enclave.